On May 27, 2026, DeFi protocol Stake DAO suffered a security attack. Attackers obtained the protocol's deployer private key on the Arbitrum chain, using this key to manipulate the LayerZero cross-chain bridge configuration, minting 5.4 trillion vsdCRV tokens, and exchanging a portion for 44 ETH (valued at approximately $91,000).
Key Transaction Hashes:
- Minting Transaction:
0x7489ec5f5dba1de6e6c92f2c0f1dd93bd4a2f307c3bd2305b2f93f569a3e5fe5
🔍 Attack Vector Analysis
Attack Flow
- Private Key Acquisition: Attackers obtained Stake DAO's Arbitrum deployer key
- Configuration Manipulation: Used the key to reset the peer configuration of vsdCRV's LayerZero OFT contract
- Cross-Chain Message Forgery: Sent forged cross-chain messages through a malicious peer
- Unlimited Minting: Contract accepted forged messages, unconditionally minting 5.4 trillion vsdCRV
- Rapid Exchange: Exchanged tokens for ETH via MetaMask public router
- Cross-Chain Transfer: Cross-chained ETH to Ethereum mainnet
Timeline — 25 Seconds to Disaster
- T+0: Attacker used deployer key to reset LayerZero peer configuration
- T+25s: Malicious contract sent cross-chain message via LayerZero
- T+25s: Contract minted 5.4 trillion vsdCRV to attacker address
- Immediately: Attacker exchanged tokens for ETH through DEXs
- Subsequently: Cross-chained ETH to Ethereum mainnet
Technical Details
According to BlockSec:
"The attacker obtained the deployer key and set an arbitrary peer for vsdCRV. Using this peer, they sent a malicious message, triggering an unconditional minting of approximately 5.44T vsdCRV."
According to Sodot co-founder Shalev Keren:
"No smart contract vulnerabilities, no LayerZero flaws. Just one private key controlling a privileged configuration function, no multisig, no delay between configuration change and on-chain minting."
đź“Š Fund Flow
| Step | Asset | Amount |
|---|---|---|
| Minting | vsdCRV | 5,446,744,073,709 |
| Exchange | ETH | ~44 ETH |
| Cross-Chain | ETH (Arbitrum→Ethereum) | ~44 ETH |
⚠️ Systemic Risk: The "Deployer Key" Problem
2026 DeFi Security Landscape
This attack continues the severe security situation in DeFi:
- April 2026: DeFi attacks resulted in $641.67 million in losses
- Kelp DAO: $292 million | Drift Protocol: $285 million | Wasabi Protocol: $45 million
Common Pattern: Single Key = Single Point of Failure
This attack shares similar patterns with:
- Wasabi Protocol (April 2026): Deployer key leakage, $45 million lost across 4 chains
- Multiple 2026 DeFi attacks: All involving single-point-of-failure from privileged keys
OpenZeppelin founder Manuel Aráoz commented:
"I think all DeFi is insecure."
The fundamental asymmetry: attackers only need to find one vulnerability, defenders must protect all possible attack surfaces.
🛡️ Protection Recommendations
For Protocol Developers
- Remove Single Points of Failure: Avoid using a single private key for critical configurations
- Implement Timelocks: Configuration changes should require multi-signature and delay mechanisms
- Audit Key Management: Include key management and configuration permissions in security audits
- Emergency Pause: Deploy emergency pause mechanisms to respond to key leakage
For Users
- Monitor Protocol Announcements: Follow project security alerts
- Limit Exposure: Avoid keeping large amounts in a single protocol long-term
- Respond Quickly: Immediately withdraw affected assets when security incidents occur
đź”— Protect Your Assets with ChainSentinel
Real-time on-chain threat detection and risk assessment for DeFi protocols and wallets.
ChainSentinel — On-chain security intelligence, automated.
Top comments (0)